This demonstration attempts to automate interacting with the Keeper Chrome
extension so that the page can steal passwords.
This is done by:
- Creating a hidden form that keeper adds a button (
) to.
- Finding that button, then clicking it with JavaScript.
- Keeper injects a search dialog into the page, which I enter "Twitter" into.
- Waiting for Keeper to draw an iframe with the search results.
- Moving the frame around so you don't know what you're clicking on.
- If you do click it, the password is sent to the untrusted page.
The result is that if you click anywhere on a page, you could be sending a
password for another site.
Try clicking this link:
Here